Security issues on Craigslist

I've been listing a few bits and pieces on Craigslist over the last week or two, and am running into the same old problem of being bombarded with a ton of scam responses - it gets to a point where you're lucky if 1 in 10 is a legitimate inquiry.

I don't respond to them, but I'm always left scratching my head trying to figure out what they're supposed to accomplish. They fall into two categories. The first are what I call 'echo' emails, posts that contain a line of text copied directly from one of my posts, with a question mark appended to the end. The best I can figure is that the scammers are using some kind of auto-mailer that selects a passage from one of my posts and puts a question mark on the end to make it seem as if someone's making a legitimate inquiry on the item. The other emails, which I've also come across elsewhere, simply contain random words - how they're supposed to elicit a response I don't know.

I have been caught out before on Craigslist by what I thought was a real inquiry, only to discover that my responding to it apparently posted all my email contacts - the first I knew about it was when some friends informed me that their security systems were flagging the resulting emails. Is that what these other emails are attempting to do?

Even though I've started including a clause in my posts that states that I'll only respond to phone numbers (and I only use my cell phone to call, rather than the home number) there are the odd responses that don't provide a number but look legit - for those I don't hit 'reply' but copy the address from the body of the email and paste it into a new post.

All of this takes place on my Windows-based PC, but I'm thinking of switching all my Craigslist correspondence over to the Ubuntu-based PC for added security. I'm not sure if it will work though, as I don't know if these scam posts work off my own hardware to acquire data such as my email contacts, or if they tap directly into the online email account I use when/if I respond, in which case whatever PC or PS I use may be a moot point. Would I be more secure switching all related correspondence to an Ubuntu-based machine, or is there still a threat?

Re: Security issues on Craigslist

Hi again,
I didn't think for one minute that it would stop the scam posts coming in - more a case of hoping that using a Linux-based system would negate whatever it is that they embed in the email that steals my information if I respond directly to the email. See, I have a laptop at hand that I've recently installed Ubuntu on which is completely clean - I figured that between the machine being non-Windows, and having a clean install as well, there's nothing there for the nasty email content to target or manipulate. But if the emails are zeroing in on the email site I use online for Craigslist, rather than the hardware, it really wouldn't matter. So that's what I'm trying to sort out. That and to give me a better idea of how they function.

Also just to clarify, I don't put my own phone number in the content - that I don't need! I simply state that if any buyer is interested in items I'm selling to send me a post with their own phone number included.

Re: Security issues on Craigslist

I received a text last night that said my mobile number had won $15000000 in a lottery.
So whatever it is you're selling, I will be able to afford it.
I just need to email someone in China to get the cash

On a serious note, I would use Ubuntu for your browsing and possibly change your email password.

The easiest way to protect your identity is to set up an email address at one of the web based services such as Yahoo or Gmail, and use that email address for your Craig's List account. That way, whether you're listing or responding to an ad, the email lookup scammers don't get any critical information about you. And, be smart - don't set up an account such as john.doe @gmail. com - you've just given away your name again to the email lookup scammers! Instead, try twoleggeddoe @gmail. com

Re: Security issues on Craigslist

Scam artists have their way of convincing innocent people to do things they don’t normally do. They have the talent to get anyone’s trust by being friendly and nice.
That is why it’s important for us to have this kind of warning. For us to be able to share it to our family and friends. Being careful isn’t enough, we should also spread awareness.
I would also like to share a scam warning about a certain Robert Bonaccolta. A foreign investor unfortunately was scammed by Robert Bonaccolta also known as Bobby with over $300,000 in a real estate transaction.

Re: Security issues on Craigslist

Okay, I will try this one more time.

This is NOT about scams per se, it is not about answering stupid emails from Nigeria, or about being dumb enough to hand out personal data to someone stating that you've won a lottery, nor is it about being gullible enough to fall for supposed security breach notices from banks, Paypal, Ebay, etc asking you to reset your passwords.

This is simply about people trying to entice you to reply to their emails by asking questions on items you're selling. What you say isn't relevant - you could reply with 'it's a sunny day' and still get smacked. They aren't asking for personal data - it's hitting that 'reply' button that's the key. Some kind of macro they're embedding in their emails is somehow being activated by the very action of hitting 'reply' so that not only are you sending them a post containing a reply to what seems like a legitimate request for further information on the item you're selling, but it's somehow acquiring email addresses as well without it actually showing up in the text.

This process is making it a nightmare to deal on sites like Craigslist, because it gets harder and harder to know which email inquires are legit and which ones are simply fishing for a reply of any kind that will transmit the email data they''re surreptitiously fishing for. My security programs aren't picking anything up, which is of no help at all.

So I'll ask again. Is this nefarious activity taking place on the email site servers and trying to grab email addresses there, or is it taking place on my hardware? If it's site specific then the solution is easy, which is to set up an account specifically for Craigslist use, which I already have done. If it's hardware specific and exploiting weaknesses in Windows (my main PC) would Linux be immune to such exploitation if i switched to doing my Craigslist work on my Ubuntu PC? I need to know one way or the other.

Re: Security issues on Craigslist

Originally Posted by timbo59

So I'll ask again. Is this nefarious activity taking place on the email site servers and trying to grab email addresses there, or is it taking place on my hardware? If it's site specific then the solution is easy, which is to set up an account specifically for Craigslist use, which I already have done. If it's hardware specific and exploiting weaknesses in Windows (my main PC) would Linux be immune to such exploitation if i switched to doing my Craigslist work on my Ubuntu PC? I need to know one way or the other.

It is not taking place on your hardware. It is not taking place on your Operating System (be it Windows or Linux).

There are a lot of variations of the scam, some of them are social engineering where they are trying to extract information from you, probably in the hopes of getting bank or credit card accounts to steal.

The one you mentioned in your OP, where they emailed to all your contacts, that probably involved a script. If it's a web-based email system then it could be a javascript that executed inside the browser. If that's the case then it would be entirely independent from your operating system. You could run Linux, Mac, Windows, BSD, Solaris, etc. and it would function the same. Or the whole point of the spam email could be for you to click on a link (a link that looked like a reply button?). Once an attacker gets you on a web page he controls, the possible attacks are innumerable.

The mitigation that Cariboo907 and I both suggested is to have an email account only for craigslist. Craigslist seems to have a built-in email account that will anonymize your address. That's a great idea.